7 Unterschiedliche Arten von AngriffenVolumen Angriffebelegen Internet-Leitungenüberlasten Firewalls, Server- und andere ResourcenTypische BeispieleSYN flood, UDP flood, ICMP flood und SMURF AngriffeApplication Layer Angriffeintelligenterbenötigen weniger ResourcenBotnet-KostenZielen auf Schwachstellen in ApplikationenUmgehung von Flood-Erkennungs-mechanismenCloud Infrastruktur AngriffeCloud-Lösungen wandeln das Internet in das “Corporate WAN”Angriffe zielen auf die gesamte Cloud Infrastruktur (Firewall, Mail & Web Server)Erkennung und Abwehr sind komplexAngriffe können gleichzeitig mehrere Kunden betreffen(slide contains animation)SAYAttacks also come in different flavors(click)The First type of a attack is a Volumetric one. This is a traffic flood of some kind. Some common types are SYN or ICMP floods but there are many different types.Next, we have Application layer attacks. These are harder to detect since they are NOT associated with massive traffic volumes. These kind of attacks try to exploit weakness in the software in order to consume resources … malformed HTTP GET requests, that sort of thing.Finally there are Cloud Infrastructure attacks. These are separated due to the nature of a cloud in the first place. While their form can be either of the 2 previous types, because it is a could, the detection and mitigation becomes much more complicated.

8 Angriffsmethoden und -toolsViele verschiedeneKonfigurierbare Perl-Skripte, Java-Skripte, fertige ToolsWindows, OSX, AndroidVerteilung alsStress Tester UtilitiesDevelopment ToolkitsMalwareNutzung alsIndividueller AngriffFreiwillige ‘Hacktivisten’ AttackeBotnet-gestützte AttackeSAYIt’s not like the tools required to make these attacks are difficult to come bySome google searching will quickly send you to many utilities that are called, ‘Stress Test’ or ‘Development’ toolsIt’s also easy to find botnet control software that you can use to initiate these tools remotely from multiple compromised systems at onceMany of these tools are freely distributed and have simple to use interfaces. While advanced configuration is always an option, getting them running is as easy as few mouse clicksbooster scripts

11 Traditionelle Volumen AngriffeSYN FloodZielt auf die Verbindungstabellen (Router/Firewall)Layer 3 AngriffZiel wird mit TCP SYN Paketen “geflutet”SAYThere are some traditional and well known attacks that can be used flood a network with trafficA SYN Flood is a layer 3 attack that sends a massive number of SYN packets at the target. These TCP connection never finish. So the goal is that all available connections are used by these fake SYN packets, which each consume a connection on the server until the TCP timeout occurs .. Typically 15 to 30 seconds.A UDP flood behaves a little differently. The Attackers fires UDP packets at random ports on the server. The server will when check to see if there is a service listening on that port and reply back if there is not. So the goal for this attack is really to have the server spending all it’s CPU and network resources replying to these false UDP requestsThese are both very easy attacks to setup, even without any special tools, simple scripting languages can easily take care of itSessionTimeTimeoutMaximumconcurrentconnections

14 Der Slowloris Angriff Angriff auf HTTP von einem einzigen Client PCalt(!!), bereits in 2009 erkanntöffnet eine Verbindung zu einem Web Servernicht alle Webserver sind verwundbarsendet gültige, aber unvollständige, nicht endende AnfragenPrinzip: Sende “irgendwas” um ein Timeout zu verhindernSockets werden offen gehaltenKeine Sockets … Kein ServiceSAYMost people with Firewall experience are at least familiar with many layer 3 and 4 attacksSlowloris is just one of the common attack tools that you can obtain free on the Internet. It’s not new, but still very effective.It does an LDOS attack so it does not flood the target with traffic and it occurs on Layer 7Legitimate, but incomplete HTTP requests are sent, in order to consume sockets on the server and hold them open. This will max out the number of available connections the web server is capable of maintaining, making sure that nobody can access the website. Not all WebServers are vulnerable, and patches do exist for some servers that are. However many administrators out there are not aware of this, which is what attackers of any kind always depend on.A firewall would offer you no protection against this sort of attackFortiDDoS can easily recognize these requests are incomplete and stop this attackGETHEADPOSTX-a

23 FortiDDOS AbwehrmechanismenLinks from ISP(s)Einsatz VOR der FirewallTransparente IntegrationBypass Option mit FortiBridgeDatenfluss-Processing mit FortiASIC-TPautomatische Modellierung des erlaubten Traffics“Baselining” abh. von Kalenderdatenadaptive Schwellwert-Anpassungtypisches Traffic-Wachstum wird berücksichtigtkeine erneute Messung erforderlichUnterstützung mehrerer Linksbis zu 8 virtuelle Instanzenkeine zusätzliche HW Appliance erforderlichDDOS Schutz mit FortiDDOSSAYWhen you deploy a FortiDDoS, normally it’s likely going to be at a the edge of a customer site or within an ISP. It’s possible to locate it just about anywhere within a network but realistically those are the 2 most likely locations as they will give you best protectionDeployment is always transparent, so there’s no change to the network.If they want a bypass option it’s recommended to use the FortiBridge to allow for an uninspected traffic route. FortiDDoS has 2 mode of operation, one where it monitors traffic and one where it will block traffic but in the case of an outage if uptime is required a FortiBridge is a viable optionInspection of traffic is handled by the on board FortiASIC-TP processorOver time the unit plots a baseline for you traffic. It builds up a calendar based model and can adapt for sudden increases in legitimate traffic.What this means is that if you put the unit in place during an attack, you will get detection but some of the attack may get through. Once the unit has been working for a little while and has built up even a few hours of data you can run the built in wizard and it will offer adjustments to settings for a more accurate deploymentFirewallFortiGateHostingCenter

24 FortiDDoS AbwehrmechanismenHardware beschleunigte DDoS AbwehrRate Based DetectionInline Full Transparent Modekeine MAC-AddressänderungSelf Learning BaselineAnpassung i.Abh.v. VerhaltenGranularer Schutzdetaillierte Schwellwerteinstellungschnellere Reaktion auf Veränderungenweniger False PositivesISP 1SAYThis is where the FortiDDoS comes inYou have hardware accelerated defense with Intent based protectionBecause there’s no CPU and detection is hardware based, you gate full line rate detection, even when an attack is happeningThe unit also learns your network over time and adapts to traffic patterns within your networkBecause the unit is specialized for DDoS protection you have incredibly granular options for threat mitigation which allows the unit to prevent the malicious traffic while still allowing legitimate traffic to pass throughWeb Hosting CenterFortiDDoS™ISP 2FirewallLegitimate TrafficMalicious Traffic

25 FortiDDOS ArbeitsweiseVirtual PartitioningGeo-Location ACLProtocol AnomalyPreventionPacket Flood MitigationStateful Inspection Out of State FilteringGranular Layer 3 and 4 FilteringApplication Layer FilteringAlgorithmic FilteringHeuristic FilteringBogon FilteringAttack TrafficLegitimate TrafficErkennung vollständig in HardwarePaketverarbeitung durch FortiASIC-TPKlassifizierung und Bewertung über verschiedene Ebenen/LayerKorrelation mit dynamisch erzeugtem Traffic-ModellErkennung vonProtokoll AnomalienSchwellwert-Überschreitungen undApplikation Level AngriffenEliminierung erfolgt auf FortiDDOSKeine Traffic-Umleitung oder Control Plane Unterbrechung (BGP)keine versteckten Kosteneinfacher Einsatzsofortige WirkungSAYDetection happens in hardware, not software.To compare this with a FortiGate, everything happens in the CPU to traffic has to pass through different layers of the operating system in order to get to the inspection process, and then back down to get out. The FortiDDoS doesn’t have that, just hardware.There’s no traffic redirection or control plane so traffic is simply dropped. There’s no option for anything else.Unlike other methods of protecting you network that are no hidden costs. It’s very easy to deploy and can provide you with immediate relief from an attack